CTI STIX Subcommittee

  • 1.  Current thoughts on Event Object

    Posted 09-11-2017 13:41


    CTI-TC,
     
    I have made an attempt to summarize the discussion to date surrounding the Event object. I have tried to use the diagrams that we’ve been referencing that show several workflows and where I see the various
    SDOs we have been discussing.
     
    I think there are five separate things that we’ve been talking about with regards to “Event”:
     
    Object 1) Some sort of front end device sensing something. You could call this an alert, an event, a log line, etc. 
    Object 2) A somewhat more mature version of the thing above. It
    may be one to one, but it may not be. There may be many of Object #1 that make up one Object #2. 
    Object 3) A way to document an incident/investigation that is either ongoing or concluded. This may (or may not) have come from an evolution out of an Object 1 or 2. Likely, most IR tools will not use Object
    3 directly, so it should probably be a sort of summary object that can allow the results of an IR investigation to be linked back to all the related data (like Objects 1 and 2, but also Actors, malware, etc)
    Object 4) Some sort of automated method of reporting, for cases such as mandatory reporting (like to US CERT). 
    Object 5) A way to group a bunch of related data together. 
     
    I see these as five distinct SDOs. Objects 1 and 2 are very similar, and
    could be represented by one SDO, but if that was the case, then the SDO would need to have a relationship type of “this arglebargle is one of many arglebargles that make up this larger arglebargle”.
     
    Object 1 has a lot of logistical overlap with a Sighting. There would need to be some sort of deconfliction between what properties were trying to be represented by Object 1 to make sure it wasn’t just a duplicate
    of Sighting (which, by definition, is something that was ‘seen’, just as Object 1 was described to be). This could also just be an Observed Data object, if the it wasn’t actually “sighted”.

     
    Object 2 is something that would likely be looked at by a SOC analyst. It isn’t really something that involves IR, but rather “is this thing my sensor generated good or bad?”
     
    Object 3 is for your IR people or your CERT. 
     
    Object 4 is likely distinct from the Report object as we have it now, as it’s not likely to be in the same vein as a ‘published report’, but rather, “Here are the series of questions that US CERT makes me
    answer every time we have an ‘incident’”. 
     
    Object 5 is basically what MISP has been asking for. 
     
    I believe Objects 1-3 roughly correlate to the first three objects from the FireEye proposal of “Event”, “Alert”, and “Investigation”. Object 5 is closer to their “Grouping” object. 
     
    All that being said, many of these tasks are not currently done in STIX (if not most of them). In the diagram, we have the TIP (in green) as being a separate object that lives alongside the workflow, but isn’t
    really IN the workflow. That being said, if we added objects 1, 2, 4, and 5, I think it could allow for easier data flow into/out of a TIP. (I don’t think the IR object will ever be used directly by the types of tools that produce that data, but maybe
    I’m wrong.) 
     
    Personally, I think the Event object as it currently stands is somewhat of a combination of Object 2 and Object 3. If people agree that these are really separate objects, I think we could scope out a few properties
    and turn the current Event object into Object 2 or Object 3 fairly easily (or easily split it into two objects). I think Object 1 is out of scope for 2.1 (unless it’s already covered by sighting/Observed Data). I think Object 4 is out of scope for 2.1. I think
    Object 5 will be covered by the “collection vs. report” debate/object, for which we should soon have a proposal.

     
     

     
     
    Thoughts are appreciated.

     
    Sarah Kelley
    Senior Cyber Threat Analyst
    Multi-State Information Sharing and Analysis Center (MS-ISAC)                   
    31 Tech Valley Drive
    East Greenbush, NY 12061
     
    sarah.kelley@cisecurity.org
    518-266-3493
    24x7 Security Operations Center
    SOC@cisecurity.org  - 1-866-787-4722
     

          
                 
    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments
    is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.


    . . . . .
    .....



    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
    immediately and permanently delete the message and any attachments.


    . . . . .



  • 2.  Re: [cti-stix] Current thoughts on Event Object

    Posted 09-11-2017 14:44
    For the record, - I also agree / believe that Object
    1 is a sighting of observed data - I am in support of focus on Object
    2/3 - I have not opinion as of yet if object
    2 and 3 need to be separate objects. I think this will come out from the
    discussion, if we get a consensus on this approach. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security Without data, all you are is just another person with an opinion - Unknown
    From:      
      Sarah Kelley <Sarah.Kelley@cisecurity.org> To:      
      "cti-stix@lists.oasis-open.org"
    <cti-stix@lists.oasis-open.org> Date:      
      09/11/2017 10:41 AM Subject:    
        [cti-stix] Current
    thoughts on Event Object Sent by:    
        <cti-stix@lists.oasis-open.org> CTI-TC,   I have made an attempt to summarize the
    discussion to date surrounding the Event object. I have tried to use the
    diagrams that we’ve been referencing that show several workflows and where
    I see the various SDOs we have been discussing.   I think there are five separate things
    that we’ve been talking about with regards to “Event”:   Object 1) Some sort of front end device
    sensing something. You could call this an alert, an event, a log line,
    etc. Object 2) A somewhat more mature version
    of the thing above. It may be one to one, but it may not be. There
    may be many of Object #1 that make up one Object #2. Object 3) A way to document an incident/investigation
    that is either ongoing or concluded. This may (or may not) have come from
    an evolution out of an Object 1 or 2. Likely, most IR tools will not use
    Object 3 directly, so it should probably be a sort of summary object that
    can allow the results of an IR investigation to be linked back to all the
    related data (like Objects 1 and 2, but also Actors, malware, etc) Object 4) Some sort of automated method
    of reporting, for cases such as mandatory reporting (like to US CERT).
    Object 5) A way to group a bunch of related
    data together.   I see these as five distinct SDOs. Objects
    1 and 2 are very similar, and could be represented by one SDO, but
    if that was the case, then the SDO would need to have a relationship type
    of “this arglebargle is one of many arglebargles that make up this larger
    arglebargle”.   Object 1 has a lot of logistical overlap
    with a Sighting. There would need to be some sort of deconfliction between
    what properties were trying to be represented by Object 1 to make sure
    it wasn’t just a duplicate of Sighting (which, by definition, is something
    that was ‘seen’, just as Object 1 was described to be). This could also
    just be an Observed Data object, if the it wasn’t actually “sighted”.
      Object 2 is something that would likely
    be looked at by a SOC analyst. It isn’t really something that involves
    IR, but rather “is this thing my sensor generated good or bad?”   Object 3 is for your IR people or your
    CERT.   Object 4 is likely distinct from the Report
    object as we have it now, as it’s not likely to be in the same vein as
    a ‘published report’, but rather, “Here are the series of questions
    that US CERT makes me answer every time we have an ‘incident’”.   Object 5 is basically what MISP has been
    asking for.   I believe Objects 1-3 roughly correlate
    to the first three objects from the FireEye proposal of “Event”, “Alert”,
    and “Investigation”. Object 5 is closer to their “Grouping” object.
      All that being said, many of these tasks
    are not currently done in STIX (if not most of them). In the diagram, we
    have the TIP (in green) as being a separate object that lives alongside
    the workflow, but isn’t really IN the workflow. That being said,
    if we added objects 1, 2, 4, and 5, I think it could allow for easier data
    flow into/out of a TIP. (I don’t think the IR object will ever be used
    directly by the types of tools that produce that data, but maybe I’m wrong.)
      Personally, I think the Event object as
    it currently stands is somewhat of a combination of Object 2 and Object
    3. If people agree that these are really separate objects, I think we could
    scope out a few properties and turn the current Event object into Object
    2 or Object 3 fairly easily (or easily split it into two objects). I think
    Object 1 is out of scope for 2.1 (unless it’s already covered by sighting/Observed
    Data). I think Object 4 is out of scope for 2.1. I think Object 5 will
    be covered by the “collection vs. report” debate/object, for which we
    should soon have a proposal.         Thoughts are appreciated.   Sarah Kelley Senior Cyber Threat Analyst Multi-State Information
    Sharing and Analysis Center (MS-ISAC)          
            31 Tech Valley Drive East Greenbush, NY 12061   sarah.kelley@cisecurity.org 518-266-3493 24x7 Security Operations
    Center SOC@cisecurity.org - 1-866-787-4722                  
      This message and attachments may contain
    confidential information. If it appears that this message was sent to you
    by mistake, any retention, dissemination, distribution or copying of this
    message and attachments is strictly prohibited. Please notify the sender
    immediately and permanently delete the message and any attachments. . . . . . ..... This message and attachments may contain confidential information.
    If it appears that this message was sent to you by mistake, any retention,
    dissemination, distribution or copying of this message and attachments
    is strictly prohibited. Please notify the sender immediately and permanently
    delete the message and any attachments. . . . . .



  • 3.  RE: Current thoughts on Event Object

    Posted 09-11-2017 15:01
    Sarah,    I think this is a nice breakdown of the various types of event use cases.  I’d be interested in seeing whether objects 3-5 could be combined into one object type and object 1 and 2 would be a separate object type (perhaps covered under some variation of a Sighting or Observed Data.. maybe?)      One of the big reasons for this is if we have 5 different object types, people will invariantly not understand the distinction and use the wrong object type, creating issues on the receiving side and on correlation between events.  I would state that Object 3 should be the information you wish to send to another organization concerning an investigation, but the internals of how that investigation workflows occur would not be included within STIX.  The reporting agency in object 4 therefore would just be one of the organizations receiving the information.  It also means that the tools do not need to reformat information differently for mandatory reporting rather than a standard investigation.       Our organization has similar reporting requirements as US CERT.  My plan was to take the event object and add custom properties to it to support the Object 4 use case.  Since the reporting requirements will differ for each agency, it would be very difficult for OASIS to have an influence on what each agency (whether US or foreign) would wish to receive, I’d suggest keeping it at the custom property level.  The useful cyber intelligence data though should mirror what is anyway useful for sending in object 3.     Object 5 I see as mainly being useful when you can add context to why you are grouping the stuff together, in which case it starts to look close to Object 3.   -Gary   From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Sarah Kelley Sent: Monday, September 11, 2017 9:41 AM To: cti-stix@lists.oasis-open.org Subject: [Non-DoD Source] [cti-stix] Current thoughts on Event Object   CTI-TC,   I have made an attempt to summarize the discussion to date surrounding the Event object. I have tried to use the diagrams that we’ve been referencing that show several workflows and where I see the various SDOs we have been discussing.   I think there are five separate things that we’ve been talking about with regards to “Event”:   Object 1) Some sort of front end device sensing something. You could call this an alert, an event, a log line, etc.  Object 2) A somewhat more mature version of the thing above. It may be one to one, but it may not be. There may be many of Object #1 that make up one Object #2.  Object 3) A way to document an incident/investigation that is either ongoing or concluded. This may (or may not) have come from an evolution out of an Object 1 or 2. Likely, most IR tools will not use Object 3 directly, so it should probably be a sort of summary object that can allow the results of an IR investigation to be linked back to all the related data (like Objects 1 and 2, but also Actors, malware, etc) Object 4) Some sort of automated method of reporting, for cases such as mandatory reporting (like to US CERT).  Object 5) A way to group a bunch of related data together.    I see these as five distinct SDOs. Objects 1 and 2 are very similar, and could be represented by one SDO, but if that was the case, then the SDO would need to have a relationship type of “this arglebargle is one of many arglebargles that make up this larger arglebargle”.   Object 1 has a lot of logistical overlap with a Sighting. There would need to be some sort of deconfliction between what properties were trying to be represented by Object 1 to make sure it wasn’t just a duplicate of Sighting (which, by definition, is something that was ‘seen’, just as Object 1 was described to be). This could also just be an Observed Data object, if the it wasn’t actually “sighted”.   Object 2 is something that would likely be looked at by a SOC analyst. It isn’t really something that involves IR, but rather “is this thing my sensor generated good or bad?”   Object 3 is for your IR people or your CERT.    Object 4 is likely distinct from the Report object as we have it now, as it’s not likely to be in the same vein as a ‘published report’, but rather, “Here are the series of questions that US CERT makes me answer every time we have an ‘incident’”.    Object 5 is basically what MISP has been asking for.    I believe Objects 1-3 roughly correlate to the first three objects from the FireEye proposal of “Event”, “Alert”, and “Investigation”. Object 5 is closer to their “Grouping” object.    All that being said, many of these tasks are not currently done in STIX (if not most of them). In the diagram, we have the TIP (in green) as being a separate object that lives alongside the workflow, but isn’t really IN the workflow. That being said, if we added objects 1, 2, 4, and 5, I think it could allow for easier data flow into/out of a TIP. (I don’t think the IR object will ever be used directly by the types of tools that produce that data, but maybe I’m wrong.)    Personally, I think the Event object as it currently stands is somewhat of a combination of Object 2 and Object 3. If people agree that these are really separate objects, I think we could scope out a few properties and turn the current Event object into Object 2 or Object 3 fairly easily (or easily split it into two objects). I think Object 1 is out of scope for 2.1 (unless it’s already covered by sighting/Observed Data). I think Object 4 is out of scope for 2.1. I think Object 5 will be covered by the “collection vs. report” debate/object, for which we should soon have a proposal.         Thoughts are appreciated.   Sarah Kelley Senior Cyber Threat Analyst Multi-State Information Sharing and Analysis Center (MS-ISAC)                    31 Tech Valley Drive East Greenbush, NY 12061   sarah.kelley@cisecurity.org 518-266-3493 24x7 Security Operations Center SOC@cisecurity.org  - 1-866-787-4722                        This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . . ..... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . . Attachment: smime.p7s Description: S/MIME cryptographic signature


  • 4.  Re: [cti-stix] RE: Current thoughts on Event Object

    Posted 09-11-2017 15:22
    Hi Gary - in my opinion, object 1 and 2
    could not be combined as they are very different use cases. Object 1 is essentially "the event
    as it was seen". Object 2  is the result of an analytic process
    - which may have dozens to or thousands of the Object 1 rolled into it.
    This is why to me, Object 1 is simply
    sightings of observed data (IE we already have this). Object 2 however
    can't be communicated that way in it's current form. It is much more than
    observed data. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security Without data, all you are is just another person with an opinion - Unknown
    From:      
      "Katz, Gary CTR
    DC3\DCCI" <Gary.Katz.ctr@dc3.mil> To:      
      Sarah Kelley <Sarah.Kelley@cisecurity.org>,
    "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date:      
      09/11/2017 12:01 PM Subject:    
        [cti-stix] RE:
    Current thoughts on Event Object Sent by:    
        <cti-stix@lists.oasis-open.org> Sarah,    I think this
    is a nice breakdown of the various types of event use cases.  I’d
    be interested in seeing whether objects 3-5 could be combined into one
    object type and object 1 and 2 would be a separate object type (perhaps
    covered under some variation of a Sighting or Observed Data.. maybe?)      One of the big
    reasons for this is if we have 5 different object types, people will invariantly
    not understand the distinction and use the wrong object type, creating
    issues on the receiving side and on correlation between events.  I
    would state that Object 3 should be the information you wish to send to
    another organization concerning an investigation, but the internals of
    how that investigation workflows occur would not be included within STIX. 
    The reporting agency in object 4 therefore would just be one of the organizations
    receiving the information.  It also means that the tools do not need
    to reformat information differently for mandatory reporting rather than
    a standard investigation.       Our organization
    has similar reporting requirements as US CERT.  My plan was to take
    the event object and add custom properties to it to support the Object
    4 use case.  Since the reporting requirements will differ for each
    agency, it would be very difficult for OASIS to have an influence on what
    each agency (whether US or foreign) would wish to receive, I’d suggest
    keeping it at the custom property level.  The useful cyber intelligence
    data though should mirror what is anyway useful for sending in object 3.     Object 5 I see as
    mainly being useful when you can add context to why you are grouping the
    stuff together, in which case it starts to look close to Object 3.   -Gary   From: cti-stix@lists.oasis-open.org
    [ mailto:cti-stix@lists.oasis-open.org ]
    On Behalf Of Sarah Kelley Sent: Monday, September 11, 2017 9:41 AM To: cti-stix@lists.oasis-open.org Subject: [Non-DoD Source] [cti-stix] Current thoughts on Event Object   CTI-TC,   I have made an attempt to summarize the
    discussion to date surrounding the Event object. I have tried to use the
    diagrams that we’ve been referencing that show several workflows and where
    I see the various SDOs we have been discussing.   I think there are five separate things
    that we’ve been talking about with regards to “Event”:   Object 1) Some sort of front end device
    sensing something. You could call this an alert, an event, a log line,
    etc. Object 2) A somewhat more mature version
    of the thing above. It may be one to one, but it may not be. There
    may be many of Object #1 that make up one Object #2. Object 3) A way to document an incident/investigation
    that is either ongoing or concluded. This may (or may not) have come from
    an evolution out of an Object 1 or 2. Likely, most IR tools will not use
    Object 3 directly, so it should probably be a sort of summary object that
    can allow the results of an IR investigation to be linked back to all the
    related data (like Objects 1 and 2, but also Actors, malware, etc) Object 4) Some sort of automated method
    of reporting, for cases such as mandatory reporting (like to US CERT).
    Object 5) A way to group a bunch of related
    data together.   I see these as five distinct SDOs. Objects
    1 and 2 are very similar, and could be represented by one SDO, but
    if that was the case, then the SDO would need to have a relationship type
    of “this arglebargle is one of many arglebargles that make up this larger
    arglebargle”.   Object 1 has a lot of logistical overlap
    with a Sighting. There would need to be some sort of deconfliction between
    what properties were trying to be represented by Object 1 to make sure
    it wasn’t just a duplicate of Sighting (which, by definition, is something
    that was ‘seen’, just as Object 1 was described to be). This could also
    just be an Observed Data object, if the it wasn’t actually “sighted”.
      Object 2 is something that would likely
    be looked at by a SOC analyst. It isn’t really something that involves
    IR, but rather “is this thing my sensor generated good or bad?”   Object 3 is for your IR people or your
    CERT.   Object 4 is likely distinct from the Report
    object as we have it now, as it’s not likely to be in the same vein as
    a ‘published report’, but rather, “Here are the series of questions
    that US CERT makes me answer every time we have an ‘incident’”.   Object 5 is basically what MISP has been
    asking for.   I believe Objects 1-3 roughly correlate
    to the first three objects from the FireEye proposal of “Event”, “Alert”,
    and “Investigation”. Object 5 is closer to their “Grouping” object.
      All that being said, many of these tasks
    are not currently done in STIX (if not most of them). In the diagram, we
    have the TIP (in green) as being a separate object that lives alongside
    the workflow, but isn’t really IN the workflow. That being said,
    if we added objects 1, 2, 4, and 5, I think it could allow for easier data
    flow into/out of a TIP. (I don’t think the IR object will ever be used
    directly by the types of tools that produce that data, but maybe I’m wrong.)
      Personally, I think the Event object as
    it currently stands is somewhat of a combination of Object 2 and Object
    3. If people agree that these are really separate objects, I think we could
    scope out a few properties and turn the current Event object into Object
    2 or Object 3 fairly easily (or easily split it into two objects). I think
    Object 1 is out of scope for 2.1 (unless it’s already covered by sighting/Observed
    Data). I think Object 4 is out of scope for 2.1. I think Object 5 will
    be covered by the “collection vs. report” debate/object, for which we
    should soon have a proposal.         Thoughts are appreciated.   Sarah Kelley Senior Cyber Threat Analyst Multi-State Information
    Sharing and Analysis Center (MS-ISAC)          
            31 Tech Valley Drive East Greenbush, NY 12061   sarah.kelley@cisecurity.org 518-266-3493 24x7 Security Operations
    Center SOC@cisecurity.org - 1-866-787-4722                  
      This message and attachments may contain
    confidential information. If it appears that this message was sent to you
    by mistake, any retention, dissemination, distribution or copying of this
    message and attachments is strictly prohibited. Please notify the sender
    immediately and permanently delete the message and any attachments. . . . . . ..... This message and attachments may
    contain confidential information. If it appears that this message was sent
    to you by mistake, any retention, dissemination, distribution or copying
    of this message and attachments is strictly prohibited. Please notify the
    sender immediately and permanently delete the message and any attachments.
    . . . . .



  • 5.  Re: [cti-stix] RE: Current thoughts on Event Object

    Posted 09-11-2017 15:39




    +1
     

    Sean Barnum
    Principal Architect
    FireEye
    M: 703.473.8262

    E: sean.barnum@fireeye.com
     

    From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
    Date: Monday, September 11, 2017 at 11:22 AM
    To: "Katz, Gary CTR DC3DCCI" <Gary.Katz.ctr@dc3.mil>
    Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, Sarah Kelley <Sarah.Kelley@cisecurity.org>
    Subject: Re: [cti-stix] RE: Current thoughts on Event Object


     

    Hi Gary - in my opinion, object 1 and 2 could not be combined as they are very different use cases.


    Object 1 is essentially "the event as it was seen". Object 2  is the result of an analytic process - which may have dozens to or thousands of the Object 1 rolled into it.


    This is why to me, Object 1 is simply sightings of observed data (IE we already have this). Object 2 however can't be communicated that way in it's current form. It is much more than observed data.


    -
    Jason Keirstead
    STSM, Product Architect, Security Intelligence, IBM Security Systems
    www.ibm.com/security

    Without data, all you are is just another person with an opinion - Unknown




    From:         "Katz, Gary CTR DC3\DCCI" <Gary.Katz.ctr@dc3.mil>
    To:         Sarah Kelley <Sarah.Kelley@cisecurity.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Date:         09/11/2017 12:01 PM
    Subject:         [cti-stix] RE: Current thoughts on Event Object
    Sent by:         <cti-stix@lists.oasis-open.org>






    Sarah,
       I think this is a nice breakdown of the various types of event use cases.  I’d be interested in seeing whether objects 3-5 could be combined into one object type and object 1 and 2 would be a separate object type
    (perhaps covered under some variation of a Sighting or Observed Data.. maybe?)
     
       One of the big reasons for this is if we have 5 different object types, people will invariantly not understand the distinction and use the wrong object type, creating issues on the receiving side and on correlation
    between events.  I would state that Object 3 should be the information you wish to send to another organization concerning an investigation, but the internals of how that investigation workflows occur would not be included within STIX.  The reporting agency
    in object 4 therefore would just be one of the organizations receiving the information.  It also means that the tools do not need to reformat information differently for mandatory reporting rather than a standard investigation. 

     
       Our organization has similar reporting requirements as US CERT.  My plan was to take the event object and add custom properties to it to support the Object 4 use case.  Since the reporting requirements will differ
    for each agency, it would be very difficult for OASIS to have an influence on what each agency (whether US or foreign) would wish to receive, I’d suggest keeping it at the custom property level.  The useful cyber intelligence data though should mirror what
    is anyway useful for sending in object 3.
     
      Object 5 I see as mainly being useful when you can add context to why you are grouping the stuff together, in which case it starts to look close to Object 3.
     
    -Gary
     
    From: cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
    On Behalf Of Sarah Kelley
    Sent: Monday, September 11, 2017 9:41 AM
    To: cti-stix@lists.oasis-open.org
    Subject: [Non-DoD Source] [cti-stix] Current thoughts on Event Object
     
    CTI-TC,
     
    I have made an attempt to summarize the discussion to date surrounding the Event object. I have tried to use the diagrams that we’ve been referencing that show several workflows and where I see the various SDOs we have been discussing.
     
    I think there are five separate things that we’ve been talking about with regards to “Event”:
     
    Object 1) Some sort of front end device sensing something. You could call this an alert, an event, a log line, etc.

    Object 2) A somewhat more mature version of the thing above. It
    may be one to one, but it may not be. There may be many of Object #1 that make up one Object #2.

    Object 3) A way to document an incident/investigation that is either ongoing or concluded. This may (or may not) have come from an evolution out of an Object 1 or 2. Likely, most IR tools will not use Object 3 directly, so it
    should probably be a sort of summary object that can allow the results of an IR investigation to be linked back to all the related data (like Objects 1 and 2, but also Actors, malware, etc)
    Object 4) Some sort of automated method of reporting, for cases such as mandatory reporting (like to US CERT).

    Object 5) A way to group a bunch of related data together.

     
    I see these as five distinct SDOs. Objects 1 and 2 are very similar, and
    could be represented by one SDO, but if that was the case, then the SDO would need to have a relationship type of “this arglebargle is one of many arglebargles that make up this larger arglebargle”.
     
    Object 1 has a lot of logistical overlap with a Sighting. There would need to be some sort of deconfliction between what properties were trying to be represented by Object 1 to make sure it wasn’t just a duplicate of Sighting
    (which, by definition, is something that was ‘seen’, just as Object 1 was described to be). This could also just be an Observed Data object, if the it wasn’t actually “sighted”.

     
    Object 2 is something that would likely be looked at by a SOC analyst. It isn’t really something that involves IR, but rather “is this thing my sensor generated good or bad?”
     
    Object 3 is for your IR people or your CERT.

     
    Object 4 is likely distinct from the Report object as we have it now, as it’s not likely to be in the same vein as a ‘published report’, but rather, “Here are the series of questions that US CERT makes me answer every time we
    have an ‘incident’”.
     
    Object 5 is basically what MISP has been asking for.

     
    I believe Objects 1-3 roughly correlate to the first three objects from the FireEye proposal of “Event”, “Alert”, and “Investigation”. Object 5 is closer to their “Grouping” object.

     
    All that being said, many of these tasks are not currently done in STIX (if not most of them). In the diagram, we have the TIP (in green) as being a separate object that lives alongside the workflow, but isn’t really
    IN the workflow. That being said, if we added objects 1, 2, 4, and 5, I think it could allow for easier data flow into/out of a TIP. (I don’t think the IR object will ever be used directly by the types of tools that produce that data, but maybe I’m wrong.)

     
    Personally, I think the Event object as it currently stands is somewhat of a combination of Object 2 and Object 3. If people agree that these are really separate objects, I think we could scope out a few properties and turn the
    current Event object into Object 2 or Object 3 fairly easily (or easily split it into two objects). I think Object 1 is out of scope for 2.1 (unless it’s already covered by sighting/Observed Data). I think Object 4 is out of scope for 2.1. I think Object 5
    will be covered by the “collection vs. report” debate/object, for which we should soon have a proposal.

     
     

     
     
    Thoughts are appreciated.
     
    Sarah Kelley
    Senior Cyber Threat Analyst
    Multi-State Information Sharing and Analysis Center (MS-ISAC)                  

    31 Tech Valley Drive
    East Greenbush, NY 12061
     
    sarah.kelley@cisecurity.org
    518-266-3493
    24x7 Security Operations Center
    SOC@cisecurity.org - 1-866-787-4722
     

             
       
     
     
    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited.
    Please notify the sender immediately and permanently delete the message and any attachments.


    . . . . .
    .....


    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message
    and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.


    . . . . .





    This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited.
    If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.





  • 6.  Re: [EXT] [cti-stix] RE: Current thoughts on Event Object

    Posted 09-12-2017 17:27
    I agree with Gary here. Bret From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Katz, Gary CTR DC3DCCI <Gary.Katz.ctr@dc3.mil> Sent: Monday, September 11, 2017 9:00:42 AM To: Sarah Kelley; cti-stix@lists.oasis-open.org Subject: [EXT] [cti-stix] RE: Current thoughts on Event Object   Sarah,    I think this is a nice breakdown of the various types of event use cases.  I’d be interested in seeing whether objects 3-5 could be combined into one object type and object 1 and 2 would be a separate object type (perhaps covered under some variation of a Sighting or Observed Data.. maybe?)      One of the big reasons for this is if we have 5 different object types, people will invariantly not understand the distinction and use the wrong object type, creating issues on the receiving side and on correlation between events.  I would state that Object 3 should be the information you wish to send to another organization concerning an investigation, but the internals of how that investigation workflows occur would not be included within STIX.  The reporting agency in object 4 therefore would just be one of the organizations receiving the information.  It also means that the tools do not need to reformat information differently for mandatory reporting rather than a standard investigation.       Our organization has similar reporting requirements as US CERT.  My plan was to take the event object and add custom properties to it to support the Object 4 use case.  Since the reporting requirements will differ for each agency, it would be very difficult for OASIS to have an influence on what each agency (whether US or foreign) would wish to receive, I’d suggest keeping it at the custom property level.  The useful cyber intelligence data though should mirror what is anyway useful for sending in object 3.     Object 5 I see as mainly being useful when you can add context to why you are grouping the stuff together, in which case it starts to look close to Object 3.   -Gary   From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Sarah Kelley Sent: Monday, September 11, 2017 9:41 AM To: cti-stix@lists.oasis-open.org Subject: [Non-DoD Source] [cti-stix] Current thoughts on Event Object   CTI-TC,   I have made an attempt to summarize the discussion to date surrounding the Event object. I have tried to use the diagrams that we’ve been referencing that show several workflows and where I see the various SDOs we have been discussing.   I think there are five separate things that we’ve been talking about with regards to “Event”:   Object 1) Some sort of front end device sensing something. You could call this an alert, an event, a log line, etc.  Object 2) A somewhat more mature version of the thing above. It may be one to one, but it may not be. There may be many of Object #1 that make up one Object #2.  Object 3) A way to document an incident/investigation that is either ongoing or concluded. This may (or may not) have come from an evolution out of an Object 1 or 2. Likely, most IR tools will not use Object 3 directly, so it should probably be a sort of summary object that can allow the results of an IR investigation to be linked back to all the related data (like Objects 1 and 2, but also Actors, malware, etc) Object 4) Some sort of automated method of reporting, for cases such as mandatory reporting (like to US CERT).  Object 5) A way to group a bunch of related data together.    I see these as five distinct SDOs. Objects 1 and 2 are very similar, and could be represented by one SDO, but if that was the case, then the SDO would need to have a relationship type of “this arglebargle is one of many arglebargles that make up this larger arglebargle”.   Object 1 has a lot of logistical overlap with a Sighting. There would need to be some sort of deconfliction between what properties were trying to be represented by Object 1 to make sure it wasn’t just a duplicate of Sighting (which, by definition, is something that was ‘seen’, just as Object 1 was described to be). This could also just be an Observed Data object, if the it wasn’t actually “sighted”.   Object 2 is something that would likely be looked at by a SOC analyst. It isn’t really something that involves IR, but rather “is this thing my sensor generated good or bad?”   Object 3 is for your IR people or your CERT.    Object 4 is likely distinct from the Report object as we have it now, as it’s not likely to be in the same vein as a ‘published report’, but rather, “Here are the series of questions that US CERT makes me answer every time we have an ‘incident’”.    Object 5 is basically what MISP has been asking for.    I believe Objects 1-3 roughly correlate to the first three objects from the FireEye proposal of “Event”, “Alert”, and “Investigation”. Object 5 is closer to their “Grouping” object.    All that being said, many of these tasks are not currently done in STIX (if not most of them). In the diagram, we have the TIP (in green) as being a separate object that lives alongside the workflow, but isn’t really IN the workflow. That being said, if we added objects 1, 2, 4, and 5, I think it could allow for easier data flow into/out of a TIP. (I don’t think the IR object will ever be used directly by the types of tools that produce that data, but maybe I’m wrong.)    Personally, I think the Event object as it currently stands is somewhat of a combination of Object 2 and Object 3. If people agree that these are really separate objects, I think we could scope out a few properties and turn the current Event object into Object 2 or Object 3 fairly easily (or easily split it into two objects). I think Object 1 is out of scope for 2.1 (unless it’s already covered by sighting/Observed Data). I think Object 4 is out of scope for 2.1. I think Object 5 will be covered by the “collection vs. report” debate/object, for which we should soon have a proposal.         Thoughts are appreciated.   Sarah Kelley Senior Cyber Threat Analyst Multi-State Information Sharing and Analysis Center (MS-ISAC)                    31 Tech Valley Drive East Greenbush, NY 12061   sarah.kelley@cisecurity.org 518-266-3493 24x7 Security Operations Center SOC@cisecurity.org  - 1-866-787-4722                        This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . . ..... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . .